IEC Certification Kit: Model-Based Design For EN 50128

IEC Certification Kit
Model-Based Design for EN 50128
R2015a
How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit: Model-Based Design for EN 50128
© COPYRIGHT 2012–2015 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.
Revision History
September 2012 New for Version 3.0 (Applies to Release 2012b)
March 2013 Revised for Version 3.1 (Applies to Release 2013a)
September 2013 Revised for Version 3.2 (Applies to Release 2013b)
October 2014 Revised for Version 3.4 (Applies to Release 2014b)
Contents
1 Model-Based Design for EN 50128 ................................................................................................. 1-1
1.1 Reference Workflows .............................................................................................................. 1-2
2 Applicable Model-Based Design Tools and Processes .................................................................... 2-1
2.1 EN 50128 Annex A.1 Clauses Tables ..................................................................................... 2-2
Table A.1 – Lifecycle Issues and Documentation ................................................................... 2-2
Table A.2 – Software Requirements Specification.................................................................. 2-5
Table A.3 – Software Architecture .......................................................................................... 2-5
Table A.4 – Software Design and Implementation ................................................................. 2-8
Table A.5 – Verification and Testing .................................................................................... 2-11
Table A.6 – Integration ......................................................................................................... 2-13
Table A.7 – Overall Software Testing ................................................................................... 2-13
Table A.8 – Software Analysis Techniques .......................................................................... 2-14
Table A.9 – Software Quality Assurance .............................................................................. 2-14
Table A.10 – Software Maintenance ..................................................................................... 2-15
2.2 EN 50128 Annex A.2 Detailed Tables .................................................................................. 2-16
Table A.12 – Coding Standards............................................................................................. 2-16
Table A.13 – Dynamic Analysis and Testing ........................................................................ 2-18
Table A.14 – Functional/Black Box Test .............................................................................. 2-19
Table A.16 – Diagrammatic Languages for Application Algorithms.................................... 2-19
Table A.17 – Modeling ......................................................................................................... 2-20
Table A.18 – Performance Testing ........................................................................................ 2-20
Table A.19 – Static Analysis ................................................................................................. 2-21
Table A.20 – Components ..................................................................................................... 2-22
Table A.21 – Test Coverage for Code ................................................................................... 2-22
v
vi
1 Model-Based Design for
EN 50128
This documentation provides annotated versions of techniques/measures tables that appear in the
EN 50128 standard. The annotated tables provide suggestions on how to use Model-Based
Design products from MathWorks® to apply the techniques/measures listed in the standard for
different Safety Integrity Levels (SILs).
The IEC Certification Kit provides additional support when using Model-Based Design for EN
50128 applications, including reference workflows for verifying and validating models and
generated code.
1.1 Reference Workflows
EN 50128 requires the selection of a lifecycle model for the development of software, however
the standard does not mandate the use of a particular software development lifecycle. The
chosen lifecycle shall be detailed in the Software Quality Assurance Plan.
To aid the selection and documentation of a lifecycle model for projects that use Model-Based
Design, the IEC Certification Kit provides the following reference workflows:
 Embedded Coder™ Reference Workflow
 Polyspace® Bug Finder™ Reference Workflow
 Polyspace® Code Prover™ Reference Workflow
 Simulink® Design Verifier™ Reference Workflow
 Simulink® Verification and Validation™ Reference Workflow
1-2
2 Applicable Model-Based Design
Tools and Processes
2.1 EN 50128 Annex A.1 Clauses Tables
Table A.1 – Lifecycle Issues and Documentation

SIL1/ SIL3/ Applicable Model-Based
Documentation SIL 0 Comments
SIL2 SIL4 Design Tools and Processes
Planning
1. Software Quality Assurance Plan HR HR HR IEC Certification Kit Reference workflows contained in the kit can aid
the creation of a software development lifecycle.
The software quality assurance plan should

reference an application-specific version of this
document, listing the justification for the chosen
combination of techniques.
2. Software Quality Assurance HR HR HR
Verification Report
3. Software Configuration HR HR HR Simulink® Software components must be clearly identified
Management Plan and have an independent version inside the CM
Simulink - Projects system or must be part of a collection of
components which have an independent version.
Simulink can interface with configuration

management systems,
Model and parameter files can be treated as
configuration items.
Simulink Projects supports configuration

management when using Model-Based Design.
4. Software Verification Plan HR HR HR Address selection of techniques from tables A.5 –
A.8.
5. Software Validation Plan HR HR HR
Software Requirements
6. Software Requirements HR HR HR Simulink Requirements models (early executable
Specification specifications) can assist software requirements
Stateflow® specification.
7. Overall Software Test HR HR HR
Specification
8. Software Requirements HR HR HR
Verification Report
2-2
Architecture and Design
9. Software Architecture HR HR HR Simulink Simulink and Stateflow can support software
Specification architecture specification for the application
Stateflow software.
When using model blocks or libraries to structure a
Simulink – Model Dependency model, the Model Dependency Viewer can display
Viewer, SDD report a graph of models and libraries referenced by the
top model.
Simulink Report Generator The System Design Description report documents
aspects of the Software Architecture Specification.
10. Software Design Specification HR HR HR Simulink Simulink and Stateflow can support software
design specification for the application software.
Stateflow When using model blocks or libraries to structure a
model, the Model Dependency Viewer can display
Simulink – Model Dependency a graph of models and libraries referenced by the
Viewer, SDD report top model.
The System Design Description report documents
Simulink Report Generator aspects of the Software Design Specification.
11. Software Interface Specifications HR HR HR Simulink Simulink can be used to fully specify the model
interface.
Simulink Report Generator The System Design Description report documents

aspects of the Software Interface Specification.
12. Software Integration Test HR HR HR
Specification
13. Software/Hardware Integration HR HR HR
Test Specification
14. Software Architecture and Design HR HR HR
Verification Report
Component Design
15. Software Component Design R HR HR Simulink Report Generator The System Design Description report documents
Specification aspects of the Software Component Design
Specification.
16. Software Component Test R HR HR
Specification
17. Software Component Design R HR HR
Verification Report
18. Software Source Code and HR HR HR Embedded Coder™ – Code
supporting documentation Generation Report
19. Software Component Test Report R HR HR MATLAB® Report Generator™
Simulink® Report Generator™

20. Software Source Code HR HR HR Simulink® Code Inspector™ –
Verification Report Report
21 Software Integration Test Report HR HR HR MATLAB Report Generator
22. Software/Hardware Integration HR HR HR MATLAB Report Generator
Test Report
23. Software Integration Verification HR HR HR MATLAB Report Generator
Report
2-3
24. Overall Software Test Report HR HR HR
25. Software Validation Report HR HR HR
26. Tools Validation Report R HR HR IEC Certification Kit Certificate reports contained in the kit provide
evidence for validation of Embedded Coder™,
Simulink® Verification and Validation™,
Simulink® Design Verifier™, Polyspace® Bug
Finder™, and Polyspace® Code Prover™.
The kit contains tool validation test harnesses and
test cases that can aid the creation of tool
validation reports for Embedded Coder, Simulink
Verification and Validation, Simulink Design
Verifier, Polyspace Bug Finder, and Polyspace
Code Prover.
27. Release Note HR HR HR
Systems Configured By Application Data/Algorithms
28. Application Requirements HR HR HR
Specification
29. Application Preparation Plan HR HR HR
30. Application Test Specification HR HR HR
31. Application Architecture and HR HR HR
Design
32. Application Preparation HR HR HR
Verification Report
33. Application Test Report HR HR HR
34. Source Code of Application HR HR HR
Data/Algorithms
35. Application Data/Algorithms HR HR HR
Verification Report
Software Deployment
36. Software Release and R HR HR
Deployment Plan
37. Software Deployment Manual R HR HR
38. Release Notes HR HR HR
39. Deployment Records R HR HR
40. Deployment Verification Report R HR HR
Software Maintenance
41. Software Maintenance Plan R HR HR
42. Software Change Records HR HR HR
43. Software Maintenance Records R HR HR
44. Software Maintenance R HR HR
Verification Report
Software Assessment
45. Software Assessment Plan R HR HR
46. Software Assessment Report R HR HR
2-4
Table A.2 – Software Requirements Specification
Technique/Measure SIL 0 Comments
1. Formal Methods (based on a - R HR Simulink – Model Model Verification blocks can be used to formalize
mathematical approach) Verification block software safety requirements and other model
library properties.
2. Modeling R R HR Simulink Simulink and Stateflow can be used to draw data
flow, control flow, finite state machines, state
Stateflow transition diagrams and truth tables. See Table
A.17 (2,3,4,6).
Model can be enhanced with text, equations,

figures and hyperlinks.
3. Structured Methodology R R HR Simulink – Subsystems, model Simulink can be used to develop requirements
blocks. models (early executable specifications).
Subsystem blocks and Model blocks can be used to
structure such models.
4. Decision Tables R R HR Simulink – Combinatorial Logic The Combinatorial Logic block implements a
block standard truth table for modeling decision tables,
and other Boolean expressions.
Stateflow –Truth Table block The Truth Table block enables the usage of truth
table logic directly in a Simulink model.
Table A.3 – Software Architecture

SIL2* SIL4** Design Tools and Processes
1. Defensive Programming - HR HR Simulink Defensive programming can be implemented in
Simulink and Stateflow.
Stateflow
Simulink - Modeling Guidelines for Modeling Guidelines for High-Integrity Systems

High-Integrity Systems guidelines facilitate defensive programming at the
model level.
2. Fault Detection & Diagnosis - R HR Simulink Simulink and Stateflow can be used to design fault
detection and diagnosis.
Stateflow
3. Error Correcting Codes - - -
4. Error Detecting Codes - R HR
5. Failure Assertion Programming - R HR Simulink Failure assertion checks can be designed using
Simulink or Stateflow.
Stateflow
2-5
6. Safety Bag Techniques - R R
7. Diverse Programming - R HR Simulink Software diversity for algorithmic parts can be
supported by executing floating-point and fixed-
Stateflow point versions of an algorithm in parallel and then
comparing the results.
Fixed-Point Designer™
8. Recovery Block - R R
9. Backward Recovery - NR NR
10. Forward Recovery - NR NR
11. Retry Fault Recovery - R R Simulink Simulink and Stateflow can be used to design fault
Mechanisms detection, isolation, and recovery (FDIR)
Stateflow algorithms.
12. Memorizing Executed Cases - R HR
13. Artificial Intelligence – Fault - NR NR
Correction
14. Dynamic Reconfiguration of - NR NR
software
15. Software Error Effect Analysis - R HR
16. Graceful Degradation - R HR Stateflow Stateflow can be used to design graceful
degradation behaviour.
17. Information Hiding - - -
18. Information Encapsulation R HR HR
19. Fully Defined Interface HR HR M Simulink – Model blocks The usage of model locks facilitates well defined
interface specifications at the model block
boundaries.
Simulink Verification and EN 50128 Model Advisor check “Check for fully
Validation – EN 50128 checks defined interface” identifies root model Inport
blocks that have missing attributes.
20. Formal Methods - R HR
21. Modeling R R HR Table A.17 – Modeling Architecture in Simulink can be represented using
data flow diagrams. See Table A.17 (2) Data Flow
Diagrams.
22. Structured Methodology R HR HR Simulink – Subsystems, model Simulink can be used to develop architectural
blocks design models. Subsystem blocks and Model
blocks can be used to structure such models.
Simulink Verification and Simulink Verification and Validation -

Validation - Requirement Requirement Management Interface can be used
Management Interface for traceability from requirements documents to
the models.
23. Modeling supported by computer R R HR Simulink Architecture in Simulink can be represented using
aided design and specification data flow diagrams. See Table A.17 (2) Data Flow
tools Diagrams.
2-6
* Approved combination of techniques for SIL 1 / SIL 2:
- 1, 19, 22, and one from 2, 4, 5, 7, 12, 15 or 21
** Approved combinations of techniques for SIL 3 / SIL 4:
- 1, 7, 19, 22, and one from 4, 5, 12 or 21
- 1, 4, 19, 22, and one from 2, 5, 12, 15 or 21
Comments
<Specify chosen combination of techniques and add justification>
2-7
Table A.4 – Software Design and Implementation
1. Formal Methods - R HR
2. Modeling - HR HR Simulink Simulink and Stateflow can be used to draw data
flow, control flow, finite state machines, state
Stateflow transition diagrams and truth tables. See Table
A.17 (2,3,4,6).
3. Structured methodology R HR HR Simulink Simulink and Stateflow can be used to intuitively

decompose and define functions, modes, and
Stateflow algorithms.
Simulink and Stateflow can be used to create

structured models and data, and to express
different functional layers described in the
requirements.
Simulink Verification and Simulink Verification and Validation -

Validation - Requirement Requirement Management Interface can be used
Management Interface for traceability from requirements documents to
the models.
4. Modular Approach HR M M Simulink – Model block, Ports & Model blocks (model referencing), subsystems,
Subsystems block library libraries, MATLAB functions, and Stateflow charts
support hierarchical decomposition of models.
Stateflow
MATLAB
Embedded Coder Embedded Coder supports modularization of code

at the file level. A file can be associated with a
model, subsystem, MATLAB function, or reusable
utility function.
5. Components HR HR HR Simulink Component can be independently developed,
verified and incrementally integrated using
Simulink model reference.
Component interface can be fully defined with
limited parameters using Simulink. See Table A.20
(3,4).
6. Design and Coding Standards HR HR M Simulink – Modeling Guidelines for Modeling Standard - Modeling Guidelines for
High-Integrity Systems High Integrity System can address items in Table
A.12 (1, 2, 6, 9).
2-8
Embedded Coder Coding Standard – MISRA AC AGC can be used
in conjunction with Embedded Coder to address
items in Table A.12 (3,4,5,11).
7. Analyzable Programs HR HR HR Simulink, Stateflow Simulink and Stateflow facilitate the design of
analyzable designs.
Simulink – Modeling Guidelines for Modeling Guidelines for High-Integrity Systems

High-Integrity Systems support the creation of analyzable programs at the
model level.
Simulink Analyzability at the model level can be facilitated
by manual model reviews. Such reviews can be
Simulink Report Generator – Web based on a model, a generated Web View, or an
View, System Design SDD report.
Description (SDD) report
Simulink Verification and Analyzability at the model level can be facilitated

Validation – Model Advisor by static analysis. l.
checks Static analysis at the model level can be supported
by EN 50128, Requirements Consistency, and
custom checks in Model Advisor.
Simulink Design Verifier – Property Analyzability at the model level can be facilitated
proving, design error detection by formal verification.
Property proving can be used to verify model
properties using formal verification techniques.
Design error detection can analyze a model to
detect the following common design errors: integer
overflow, division by zero, dead logic, and
assertion violations.
Embedded Coder – Configuration Embedded Coder can be configured to facilitate
analyzability at the code level, e.g. by optimizing
readability and traceability.
8. Strongly Typed Programming R HR HR Simulink, Stateflow At the model level, Simulink and Stateflow can be
Language Simulink – Configuration configured to facilitate strong typing at the model
level.
Type compatibility constraints can be embedded in
the math operator or logical blocks at the model
level.
Simulink Verification and EN50128 checks and custom checks in Model
Validation – Model Advisor checks Advisor can be used to check typing considerations
at the model level.
Polyspace Code Prover – Code Polyspace Code Prover and Polyspace Bug Finder
verification can be used to restrict data values to a sub-range of
Polyspace Bug Finder – MISRA-C the underlying data type. Attempts to violate the
checker defined sub-ranges will be flagged.
2-9
9. Structured Programming R HR HR Simulink Modeling guidelines can help to ensure structured
programming.
Stateflow
MATLAB
Modeling Guidelines
10. Programming Language R HR HR Embedded Coder Embedded Coder supports the generation of C and
C++, code from Simulink models.
Simulink® PLC Coder™ Simulink PLC Coder supports the generation of
PLC code from Simulink models.
11. Language Subset R HR HR Simulink – Modeling Guidelines for Modeling Guidelines for High-Integrity Systems
High-Integrity Systems and custom guidelines can support the definition of
analyzable programs at the model level.
Simulink Verification and Static analysis at the model level can be supported
Validation – Model Advisor by EN 50128 and custom checks in Model
Checks Advisor. Model Advisor checks can also help limit
constructs to a subset of the modeling language.
Embedded Coder Embedded Coder configuration can prevent some

constructs from being used, allowing only a subset
of the C or C++ language.
12. Object Oriented Programming R R R Embedded Coder Embedded Coder can generate encapsulated C++
classes from models.
13. Procedural programming R HR HR MATLAB® MATLAB supports procedural programming and
subsequent code generation.
MATLAB® Coder™
Embedded Coder
14. Metaprogramming R R R
- 3, 4, 5, 6 and one from 8, 9, or 10
** Approved combination of techniques for SIL 3 / SIL 4:
- 4, 5, 6, 8 and one from 1 or 2
Comments
2-10
Table A.5 – Verification and Testing
Applicable Model-Based
SIL SIL1/ SIL3/
Technique/Measure Design Tools and Comments
0 SIL2* SIL4**
Processes
1. Formal Proof - R HR Simulink – Model Model Verification blocks can be used to formalize software safety
Verification block library requirements and other model properties.
Simulink Design Property proving can be used to verify model properties using
Verifier – Property proving, formal verification techniques. Design error detection can analyze
design error detection a model to detect the following common design errors: integer
overflow, division by zero, dead logic, and assertion violations.
Polyspace Code Prover – Run-time error detection can analyze C or C++ code to identify
Code verification software errors that might occur during run time. Polyspace Code
Prover provides code verification that proves the absence of
overflow, divide-by-zero, out-of-bounds array access, and certain
other run-time errors in source code. Polyspace Code Prover uses
formal methods-based abstract interpretation techniques to verify
code.
2. Static Analysis - HR HR Model Advisor can be used to verify compliance to the modeling
Table A.19 – Static Analysis standard.
See Table A.19 (2) Checklists
Simulink Simulink can provide diagnostics on data flow at model
compilation time. See Table A.19 (4) Data Flow Analysis
Simulink can be used to review and annotate the model with

comments. See Table A.19 (6) Walkthroughs/ Design Reviews
Polyspace Bug Finder – MISRA checker can be used to analyze hand-code or code
MISRA-C Checker generated from Simulink models.
Table A.19 (2) Checklists
Polyspace Code Prover – Abstract interpretation method can be used to prove the absence of
Code metrics certain runtime errors in the source code. See:
Table A.19 (1) Boundary Value Analysis
Table A.19 (3) Control Flow Analysis
Table A.19 (4) Data Flow Analysis
3. Dynamic Analysis and - HR HR Simulink Simulink can be used to perform requirement-based testing on
Testing model. See:
Table A.13 (1) Test Case Execution from Boundary Value
Analysis Table A.13 (5) Equivalence Classes and Input Partition
Testing
Embedded Coder - Processor- PIL mode from Simulink with Embedded Coder can be used to
in-the-loop (PIL) testing compare numerical equivalence of simulation and production code
execution.
Simulink Design Verifier - Inputs can be based on requirements or generated from the model
Test Generation using Simulink Design Verifier. See
Table A.13 (6) Structured-Based Testing
4. Metrics - R R Simulink Verification and Simulink Verification and Validation provides the ability to
Validation – Cyclomatic measure complexity of a given models and functions.
Complexity Metric
2-11
SIL SIL1/ SIL3/
0 SIL2* SIL4**
Processes
Simulink Verification and EN 50128 Model Advisor check “Display model metrics and
Validation – EN 50128 checks complexity report” provides information on the size and
complexity of models and subsystems.
Embedded Coder  Code The static code metrics section of the code generation report
generation report provides the amount of memory used by the generated code.
Polyspace Bug Finder supports the generation of size and
Polyspace Bug Finder – Code complexity metrics for source code.
metrics
5. Traceability R HR M Simulink Verification and RMI can be used to establish bidirectional links between textual
Validation  Requirements requirements and models.
Management Interface (RMI)
Embedded Coder – Code Embedded Coder can be used to establish bidirectional links
generation report between models and generated code.
IEC Certification Kit  Generated traceability matrices can be used to document and
Traceability matrix review existing links between textual requirements, models, and
code.
6. Software Error Effect - R HR
Analysis
7. Test Coverage for Code R HR HR Simulink Verification and Model coverage can be used on the model during simulation. See:
Validation - Model Coverage Table A.21 (2) Branch
Table A.21 (3) Compound Condition
Table A.21 (4) Data Flow (via static analysis)
Embedded Coder  Code A third-party code coverage tool (e.g. LDRA) can be configured
coverage analysis with Embedded Coder. Results can be viewed in the Embedded
Coder Code Generation Report. See:
Table A.21 (1) Statement
Table A.21 (2) Branch
Table A.21 (3) Compound Condition
8. Functional/Black Box HR HR M Simulink Simulink can be used to perform requirement-based testing on
testing model. Test can be reused in PIL. See:
Embedded Coder - Processor- Table A.14 (3) Boundary Value Analysis (with Simulation)
in-the-loop (PIL) testing Table A.14 (4) Equivalent Classes and Input Partition Testing
Polyspace
9. Performance Testing - HR HR Simulink Simulation can be used to verify the accuracy of the calculation
and the responsiveness of a control loop. See
Table A.18 (3) Performance Requirements
Embedded Coder - Profiling Profiling can be used to measure the CPU load of software that
runs on the target. See
Table A.18 (3) Performance Requirements
10. Interface Testing HR HR HR Simulink Design Verifier  Automatic test case generation in combination with Test Objective
Test case generation blocks can be used to generate interface tests and verify model
behavior during simulation.
Simulink
Polyspace Code Prover – Polyspace data range checking can be used to reduce interface
Code verification; testing.
Unreachable code analysis
2-12
SIL SIL1/ SIL3/
0 SIL2* SIL4**
Processes
- 5 and one from 2, 3 or 8
** Approved combination of techniques for SIL 3 / SIL 4:
- 3, 5, 7, 8 and one from 1, 2 or 6
Comments
Table A.6 – Integration

1. Functional and Black Box Testing HR HR HR Simulink Simulink can be used to perform requirement-
based testing on application software model. Test
Embedded Coder – Processor-in- can be reused in PIL for the application software
the-loop (PIL) testing without basic software integration.
Polyspace can be used to analyze boundary
Polyspace Code Prover – Code values. See:
verification
Polyspace Bug Finder – MISRA-C Table A.14 (4) Equivalent Classes and Input
checker Partition Testing
2. Performance Testing - R HR Table A.18 Performance Testing
Table A.7 – Overall Software Testing

SIL2* SIL4 Design Tools and Processes
1. Performance Testing - HR M Table A.18 – Performance Testing
2. Functional and Black Box HR HR M Table A.14 – Functional/Black Box

Testing Test
3. Modeling - R R Table A.17 – Modeling

- 1 and 2
Comments
2-13
Table A.8 – Software Analysis Techniques
Technique/Measure SIL 0* Comments
SIL2* SIL4* Design Tools and Processes
1. Static Software Analysis R HR HR Polyspace can analyze both basic and application
Table A.19 – Static Analysis software. See:
Table A.19 (3) Control Flow Analysis
Table A.19 (4) Data Flow Analysis
2. Dynamic Software Analysis - R HR MATLAB Requirement-based test cases developed in
Simulink can be exported to a different testing
environment.
3. Cause Consequence Diagrams R R R
4. Event Tree Analysis - R R
5. Software Error Effect Analysis - R HR
* One or more of these techniques shall be selected to satisfy the software SIL being used
Table A.9 – Software Quality Assurance

1. Accredited to EN ISO 9001 R HR HR
2. Compliant with EN ISO 9001 M M M
3. Compliant with ISO/IEC 90003 R R R
4. Company Quality System M M M
5. Software Configuration M M M Simulink - Projects Simulink Projects supports configuration
Management management when using Model-Based Design.
6. Checklists R HR HR
7. Traceability R HR M Simulink Verification and RMI can be used to establish bidirectional links
Validation  Requirements between textual requirements and models.
Management Interface (RMI)
Embedded Coder – Code generation Embedded Coder can be used to establish
report bidirectional links between models and generated
code.
IEC Certification Kit  Traceability Generated traceability matrices can be used to
matrix document and review existing links between
textual requirements, models, and code.
8. Data Recording and Analysis HR HR M
2-14
Table A.10 – Software Maintenance
1. Impact Analysis R HR HR
2. Data Recording and Analysis HR HR M
- 1 and 4
** Approved combinations of techniques for SIL 3 / SIL 4:
- 1, 4, 5, and 7
- 2, 3, and 6
Comments
2-15
2.2 EN 50128 Annex A.2 Detailed Tables
Table A.12 – Coding Standards

SIL1/ SIL3/ Applicable Model-Based Design
SIL2* SIL4* Tools and Processes
1. Coding Standard HR HR M Simulink  Modeling Guidelines The Modeling Guidelines for High-Integrity
Systems and the MathWorks®Automotive Advisory
Board — Control Algorithm Modeling Guidelines
Using MATLAB®, Simulink®, and Stateflow® can
be used to address standard at Model Level.
2. Coding Style Guide HR HR HR Simulink  Modeling Guidelines The Modeling Guidelines for High-Integrity
Systems and the MathWorks® Automotive
Advisory Board — Control Algorithm Modeling
Guidelines Using MATLAB®, Simulink®, and
Stateflow® can be used to address standard at Model
Level.
3. No Dynamic Objects - R HR Embedded Coder – Configuration Embedded Coder can be configured to generate C
code that does not include dynamic variables.
Polyspace Bug Finder  MISRA-C Polyspace Bug Finder can assess compliance with
checker MISRA–C rules for dynamic objects.
4. No Dynamic Variables - R HR Embedded Coder – Configuration Embedded Coder can be configured to generate C
code that does not include dynamic variables.
Polyspace Bug Finder  MISRA-C Polyspace Bug Finder can assess compliance with
checker MISRA–C rules for dynamic variables.
5. Limited Use of Pointers - R R Embedded Coder – Configuration Embedded Coder may generate pointer arithmetic
for certain language features — for example, lookup
Polyspace Bug Finder – MISRA-C tables or matrix multiplication. Embedded Coder
checker checks the data type and range of values to prevent
corruption of address spaces.
Polyspace Code Prover – Code Polyspace Bug Finder can assess compliance with
verification MISRA–C rules for the use of pointers.
Polyspace Code Prover can check whether pointers
refer to valid objects. Violations are reported as IDP
checks.
6. Limited Use of Recursion - R HR Simulink  Modeling Guidelines Adherence can be facilitated by applying modeling
guidelines.
Polyspace Code Prover – Call tree High-integrity guideline hisf_0004 provides
computation corresponding modeling recommendations.
Avoid using n-D Lookup Table and Interpolation
Polyspace Bug Finder – MISRA-C blocks and Prelookup blocks with dimensions > 5.
checker Call graphs generated by Polyspace Code Prover
can be reviewed to identify recursive function calls.
Polyspace Bug Finder can assess compliance with
MISRA–C rules for recursion.
2-16
7. No Unconditional Jumps - HR HR Polyspace Bug Finder  MISRA-C Polyspace Bug Finder can assess compliance with
checker MISRA–C rules for unconditional jumps.
8. Limited size and complexity HR HR HR Simulink Software components can be structured
of Functions, Subroutines and hierarchically to limit component size.
Methods Stateflow Simulink Verification and Validation provides the
ability to measure complexity of given models and
Embedded Coder functions.
EN 50128 Model Advisor check “Display model
Simulink Verification and Validation metrics and complexity report” provides
– Cyclomatic Complexity Metric, EN information on the size and complexity of models
50128 checks and subsystems.
Polyspace Bug Finder supports the generation of
Polyspace Bug Finder – Code metrics size and complexity metrics for source code.
9. Entry/Exit Point strategy for R HR HR Simulink  Modeling Guidelines Adherence can be facilitated by applying modeling
Functions, Subroutines and guidelines in combination with analyzing generated
Methods Polyspace Bug Finder – MISRA-C code. MAAB guideline jc_0511 provides
checker corresponding modeling recommendations.
Polyspace Bug Finder can assess compliance with
MISRA–C rules for functions, subroutines and
methods.
10. Limited number of R R R
Subroutine parameters
11. Limited use of Global HR HR M Simulink Usage of Data Store Memory blocks needs to be
Variables reviewed and justified.
Embedded Coder – Configuration Selecting the Enable local block outputs
optimization reduces use of global variables in
generated code.
* It is accepted that techniques 3, 4 and 5 may be present as part of a validated compiler or translator.
2-17
Table A.13 – Dynamic Analysis and Testing
SIL2 SIL4 Tools and Processes
1. Test Case Execution from - HR HR Simulink Design Verifier  Test case Automatic test case generation in combination
Boundary Value Analysis generation with Test Objective blocks can be used to
generate test cases and test sequences for given
boundary values.
2. Test Case Execution from Error R R R
Guessing
3. Test Case Execution from Error - R R Simulink Simulink and Stateflow can be used to carry out
Seeding fault injection tests. The tools can also be used to
Stateflow simulate failure propagation at the model level.
For this purpose, the system model and a separate
failure model can be used.
Simulink Design Verifier  Test case Automatic test case generation in combination
generation with Test Objective blocks can be used to
generate test cases and test sequences for error
seeding tests.
4. Performance Modeling - R HR
5. Equivalence Classes and Input R R HR Simulink Design Verifier  Test case The analysis of equivalence classes can be based
Partition Testing generation on the interfaces of the model.
Automatic test case generation in combination
with Test Objective blocks can be used to
equivalence classes.
6. Structure-Based Testing - R HR Simulink Verification and Validation During model testing, Simulink Verification and
 Model coverage analysis Validation can collect structural coverage
(Decision, Condition, MC/DC, look-up table
Simulink Design Verifier  Test case coverage) at the model level.
generation Simulink Design Verifier can generate test cases
that satisfy coverage objectives at the model
Embedded Coder  Code coverage level.
analysis During software-in-the-loop (SIL) simulation,
Embedded Coder can collect MC/DC coverage by
using the third-party tool LDRA Testbed®.
2-18
Table A.14 – Functional/Black Box Test
1. Test Case Execution from Cause - R R
Consequence Diagrams
2. Prototyping/Animation - - R Simulink® Coder™ Simulink Coder can be used to generate code for
rapid prototyping.
Embedded Coder™ Embedded Coder can be used to generate code for
on-target rapid prototyping. Software-in-the-loop
HDL Coder™ (SIL) and processor-in-the-loop (PIL) simulation
can be used to execute generated code in the
Simulink® Real-Time™ context of a model.
HDL Coder can be used to generate on-target
rapid prototyping on FPGA.
Simulink® 3D Animation™
Simulink Real-Time can be used to perform rapid
prototyping on Windows platforms.
Gauges Blockset™
Simulink 3DAnimation can be used to animate 3-
dimensional scenes driven by signals in a model.
Gauges Blockset can be used to add graphical
instrumentation to models.
3. Boundary Value Analysis R HR HR Simulink Design Verifier  Test case Automatic test case generation in combination
boundary values.
4. Equivalence Classes and Input R HR HR Simulink Design Verifier  Test case The analysis of equivalence classes can be based
Partition Testing generation on the interfaces of the model.
Automatic test case generation in combination
with Test Objective blocks can be used to
equivalence classes.
5. Process Simulation R R R Simulink Simulink supports simulation of algorithm and
environment models.
Stateflow
Simscape™
Table A.16 – Diagrammatic Languages for Application Algorithms

1. Functional Block Diagrams R R R Simulink Functional block diagrams in Simulink can be
used to model algorithms and equations.
2. Sequential Function Charts - HR HR
3. Ladder Diagrams R R R
4. State Charts R HR HR Stateflow - State charts Stateflow supports finite state machines using
Mealy and Moore semantics.
2-19
Table A.17 – Modeling
1. Data Modeling R R HR
2. Data Flow Diagrams - R HR Simulink Simulink can be used to represent data flow
between components and functions.
3. Control Flow Diagrams R R HR Stateflow – Flow charts Flow charts in Stateflow can be used to represent
control flow diagrams.
4. Finite State Machines or State - HR HR Stateflow - Statecharts Stateflow supports finite state machines using
Transition Diagrams Mealy and Moore semantics.
5. Time Petri Nets - R HR
6. Decision/Truth Tables R R HR Stateflow – Truth Table block The Truth Table block enables the usage of truth
table logic directly in a Simulink model.
7. Formal Methods - R HR Simulink – Model Verification block Model Verification blocks can be used to
library formalize software safety requirements and other
model properties.
Simulink Design Verifier – Property Property proving can be used to verify model
proving, design error detection properties. Design error detection can analyze a
model to detect the following common design
errors: integer overflow, division by zero, dead
logic, and assertion violations.
8. Performance Modeling - R HR
9. Prototyping/Animation - R R Simulink Real-Time Simulink Real-Time can be used to perform rapid
prototyping on Windows platforms.
Simulink 3D Animation Simulink 3D Animation can be used to animate 3-
dimensional scenes driven by signals in a model.
10. Structure Diagrams - R HR
11. Sequence Diagrams R HR HR
* At least one of the HR techniques shall be chosen.
Table A.18 – Performance Testing

1. Avalanche/Stress Testing - R HR
2. Response Timing and Memory - HR HR Embedded Coder  Processor-in-the- PIL testing analyzes resource utilization on a
Constraints loop (PIL) testing, code generation target processor.
report The static code metrics section of the code
generation report provides the amount of memory
used by the generated code.
3. Performance Requirements - HR HR Simulink Simulink simulations can be used to verify the
accuracy and correctness of equations and
algorithms.
2-20
Table A.19 – Static Analysis
1. Boundary Value Analysis - R HR Simulink Design Verifier  Test case Automatic test case generation in combination
boundary values.
2. Checklists - R R Simulink Verification and Validation EN 50128 checks can be used to verify model
– EN 50128 checks compliance to modeling standards.
3. Control Flow Analysis - HR HR Simulink Verification and Validation Model coverage analysis can help to identify
– Model coverage analysis unreachable portions of a model.
Automatic test case generation can be used to
Simulink Design Verifier – Test case detect unreachable model constructs that could
generation result in unreachable code.
Polyspace Code Prover can partially extract
Polyspace Code Prover – Call tree control flow information from C code and can
computation, unreachable code create the application call tree. Gray checks detect
analysis unreachable code.
4. Data Flow Analysis - HR HR Simulink – Diagnostics Data Store Memory block diagnostics and
Stateflow diagnostics can be configured to
Stateflow – Diagnostics identify data flow issues.
Polyspace Code Prover supports static
Polyspace Code Prover – Code verification of dynamic properties of generated
verification code. This verification technique is based on data
flow analysis.
5. Error Guessing R R
6. Walkthroughs/ Design Reviews HR HR HR Simulink Unit design walkthroughs can be based on a
model, a generated Web View, or an SDD report.
Simulink Report Generator – Web
View, System Design
Description (SDD) report
2-21
Table A.20 – Components
1. Information Hiding - - - Simulink – Model block, Ports & Model blocks (model referencing), subsystems,
Subsystems block library libraries, and Stateflow charts can support
hierarchical information hiding.
Stateflow
2. Information Encapsulation R HR HR Simulink – Model block, Ports & Model blocks (model referencing), subsystems,
Subsystems block library libraries, and Stateflow charts can support
information encapsulation.
Stateflow When using Model blocks or libraries to structure
a model, the Model Dependency Viewer can
Simulink – Model Dependency display a graph of models and libraries referenced
Viewer by the top model.
3. Parameter Number Limit R R R
4. Fully Defined Interface R HR M Simulink – Model blocks The usage of model locks facilitates well defined
interface specifications at the model block
Simulink Verification and Validation boundaries.
– EN 50128 checks EN 50128 Model Advisor check “Check for fully
defined interface” identifies root model Inport
blocks that have missing attributes.
Table A.21 – Test Coverage for Code

SIL2* SIL4*,** Design Tools and Processes
1. Statement R HR HR Embedded Coder  Code coverage During software-in-the-loop (SIL) simulation,
analysis Embedded Coder can collect statement coverage
by using the third-party tool LDRA Testbed®.
During SIL simulation, Embedded Coder can
collect condition/ decision coverage information,
which usually subsumes statement coverage, by
using the third-party tool BullseyeCoverageTM.
2. Branch - R HR Simulink Verification and Validation During model testing, Simulink Verification and
 Model coverage analysis Validation can collect decision coverage (also
known as branch coverage) at the model level.
Simulink Design Verifier  Test case Simulink Design Verifier can generate test cases
generation that satisfy decision coverage at the model level.
During software-in-the-loop (SIL) simulation,
Embedded Coder  Code coverage Embedded Coder can collect statement coverage
analysis by using the third-party tool LDRA Testbed®.
During SIL simulation, Embedded Coder can
collect condition / decision coverage, which
usually subsumes statement coverage, by using
the third-party tool BullseyeCoverageTM.
2-22
SIL2* SIL4*,** Design Tools and Processes
3. Compound Condition - R HR Simulink Verification and Validation During model testing, Simulink Verification and
 Model coverage analysis Validation verification can collect MC/DC
coverage at the model level.
Simulink Design Verifier  Test case Simulink Design Verifier can be used to generate
generation test cases that satisfy MC/DC coverage at the
model level.
Embedded Coder  Code coverage During SIL simulation, Embedded Coder can
analysis collect MC/DC coverage by using the third-party
tool LDRA Testbed®.
4. Data Flow - R HR
5. Path - R HR
* For every SIL, a quantified measure of coverage shall be developed for the test undertaken.
** For SIL 3 / SIL 4, test coverage at component level should be measured according to one of the following:
- 2 and 3
- 2 and 4
- 5
Comments
2-23

IEC Certification Kit: Model-Based Design For EN 50128

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IEC Certification Kit: Model-Based Design For EN 50128

Uploaded by

Copyright:

Available Formats

IEC Certification Kit

Model-Based Design for EN 50128

Table A.1 – Lifecycle Issues and Documentation

The software quality assurance plan should

Simulink can interface with configuration

Simulink Projects supports configuration

Simulink Report Generator The System Design Description report documents

Simulink® Report Generator™

Model can be enhanced with text, equations,

Table A.3 – Software Architecture

Simulink - Modeling Guidelines for Modeling Guidelines for High-Integrity Systems

10. Forward Recovery - NR NR

Simulink Verification and Simulink Verification and Validation -

3. Structured methodology R HR HR Simulink Simulink and Stateflow can be used to intuitively

Simulink and Stateflow can be used to create

Simulink Verification and Simulink Verification and Validation -

Embedded Coder Embedded Coder supports modularization of code

Simulink – Modeling Guidelines for Modeling Guidelines for High-Integrity Systems

Simulink Verification and Analyzability at the model level can be facilitated

Embedded Coder Embedded Coder configuration can prevent some

Simulink can be used to review and annotate the model with

Table A.6 – Integration

Table A.7 – Overall Software Testing

2. Functional and Black Box HR HR M Table A.14 – Functional/Black Box

3. Modeling - R R Table A.17 – Modeling

* Approved combination of techniques for SIL 1 / SIL 2:

Table A.9 – Software Quality Assurance

Table A.12 – Coding Standards

Table A.16 – Diagrammatic Languages for Application Algorithms

Table A.18 – Performance Testing

Table A.21 – Test Coverage for Code

You might also like